← Back to home

Privacy Policy

Last updated: 6/23/2026 · Operated by Smartify Consulting (Pty) Ltd.

1. Overview

picnic ("we", "us", "the Service") is a calendar orchestration and meeting-intelligence service operated by Smartify Consulting (Pty) Ltd. It synchronises availability across multiple Google and Microsoft calendar accounts, provides bookable scheduling pages, and uses your inbox to surface meeting context. This Privacy Policy explains what we collect, how we use it, and the choices you have.

2. Data we collect

  • Account info: name, email address, and password hash.
  • OAuth tokens: access and refresh tokens issued by Google and Microsoft when you connect an account. Stored encrypted at rest, used only to call provider APIs on your behalf.
  • Google Calendar data: calendars you authorise, event times, titles, locations, descriptions, attendees, and free/busy windows.
  • Gmail data: message metadata (sender, recipients, subject, dates) and message bodies for emails you ask us to summarise, digest, or use for meeting prep.
  • Booking data: bookings made through your public booking page, including invitee name, email, and any answers they provide.
  • Usage data: standard server logs (IP, user agent, timestamps) for security and debugging.

3. How we use Google user data

Google Calendar. We use Calendar data to compute your real-time availability across connected accounts, prevent double bookings by writing "busy" blockers you ask us to create, mirror events between calendars when you enable that, and power your shareable booking page.

Gmail. We use Gmail data to generate your daily digest, prepare meeting briefs from related email threads, surface action items in the intelligence inbox, and — only when you explicitly trigger it — draft and send replies on your behalf using gmail.send.

We do not use Google user data to train generalised AI/ML models. Any AI processing happens on a per-request basis to deliver the feature you invoked.

4. OAuth authentication

We authenticate to Google using the OAuth 2.0 authorization-code flow. You consent to a specific set of scopes on Google's consent screen; we never see your Google password. Access tokens and refresh tokens are stored encrypted in our database and used only to call Google APIs to deliver the features above. You can revoke our access at any time from the Accounts page inside picnic, or from your Google Account permissions page.

5. We do not sell your data

We do not sell, rent, or trade your personal data, calendar data, or email data to any third party. We do not use it for advertising, and we do not share it with advertisers or data brokers.

6. Google API Services User Data Policy — Limited Use disclosure

picnic's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide and improve user-facing features (availability sync, conflict prevention, booking pages, email digests, meeting intelligence).
  • We do not transfer Google user data to third parties except as necessary to provide the service, comply with law, or as part of a merger or acquisition.
  • We do not use Google user data for advertising.
  • We do not allow humans to read Google user data unless we have your explicit consent, it is necessary for security, to comply with law, or it is aggregated and anonymised for internal operations in compliance with the policy.

7. Storage & security

Data is stored in our managed Postgres database, encrypted at rest. Access is restricted by row-level security so a user can only read their own data. All traffic is encrypted in transit via TLS.

8. Data retention & deletion

You can disconnect any account at any time from the Accounts page; that revokes our tokens and removes synced events and blockers we created. You can delete your account from Settings; that permanently removes all of your data within 30 days. To request deletion outside the app, email support@syncmyday.co.za.

9. Sub-processors

We use the following sub-processors: Supabase (database and authentication), Cloudflare (hosting/CDN), and the AI provider that powers our daily digest and meeting intelligence. Each is bound by their own data protection terms.

10. Your rights

You may request access to, correction of, or deletion of your personal data at any time by emailing support@syncmyday.co.za. EU/UK residents have rights under GDPR; California residents have rights under CCPA; South African residents have rights under POPIA. We respond within 30 days.

11. Contact

Smartify Consulting (Pty) Ltd · support@syncmyday.co.za